Ubuntu 22 builders now available for GCP Buildpacks

[jama22]

April 25, 2023 Update
We are now targeting June 5, 2023 for the switchover from latest to google-22

April 24, 2023 Update
In order to reduce the chance of breaking users between v1 and google-22, we're increasing the language support in google-22 by adding:

• Python 3.8
• Python 3.9
• Ruby 3.0

These languages are still in support by their respective OSS communities, so we feel comfortable adding those in.

April 6, 2023 Update:

We're pumping the brakes on the switchover because we're worried about the potential for breaking cloud run deploy --source. Trying to create a few more guardrails for those users before making the official cutover. Will try to keep this thread updated with dates

---

Hi folks!

Today, we're excited to introduce the Ubuntu 22 (Jammy Jellyfish) builders into GCP’s buildpacks. This new builder uses Ubuntu 22 as the base image for both the run and build environments. You can find the new builder under the :google-22 tag here https://gcr.io/buildpacks/builder:google-22

IMPORTANT With the release of this builder we will also be planning to switch over the :latest tag to point to :google-22 on March 6, 2023 June 5, 2023.

Why is this important?

Ubuntu 18 ESM

Using the GCP’s buildpacks project, the default builder gcr.io/buildpacks/builder:v1 uses Ubuntu 18 as the container base image. With Ubuntu 18 moving into Extended Security Maintenance in April, 2023, it will be receiving fewer security and maintenance updates.

Support for Node.js 18 and newer languages

When Node.js 18 launched last year (2022), it was built with a newer version of glibc/Ubuntu that wasn’t available on Ubuntu 18 (#248). The introduction of the Ubuntu 22 builder fixes this. Moving forward, we will be pushing to make the Ubuntu 22 builder the default builder image so that our users get full use of modern OS environments.

Improved Security & Smaller Images

Ubuntu 22 currently falls under Canonical’s Standard Support until April 2027. As some of ya'll have already pointed this out to us in #232, #236 and #270, this leads to container images that have "fixable" CVEs in them.

The Ubuntu 22 builder utilizes the updated jammy packages repo with updated dependencies. Using the Ubuntu 22 builder, you can produce images that are ~27% smaller and with half as many CVEs:

Building a sample-go app we see the following improvements between the builders:

	Ubuntu-18 Builder	Ubuntu-22 Builder
Total CVEs	34	11
Fixable CVEs	5	1
Critical	0	0
High	1	0
Medium	18	4
Low	15	7
Image Size	71.8 MB	54.6 MB

Using the new Builder

The new build can be found at https://gcr.io/buildpacks/builder:google-22

There are three ways to use the new builder:

• Locally with pack CLI
• Remotely with Cloud Build

Locally with pack CLI

You can utilize the --builder flag to specify the new google-22 tag on the builder image as follows:

pack build --builder=gcr.io/buildpacks/builder:google-22 <image name> 

For more detailed instructions on building an image with pack, see Local builds with GCP’s buildpacks

Remotely with Cloud Build

Cloud Build supports additional parameters on the --pack flag. Note that the fields after --pack is one continuous string, with the two parameters separated by a comma ,

gcloud builds submit \
    --pack builder=gcr.io/buildpacks/builder:google-22,image=<region>.pkg.dev/<project>/<repository>/<image-name>

For more detailed instructions on building an image remote with Cloud Build, see Remote builds with GCP’s buildpacks

Supported Language Version

I'll be updating our docs page soon, but the new builder supports the following language versions:

Language	Min Version	Max version	Applications	Functions
Python	3.10.0	3.11.x	✓	✓
Node.js	14.19.2	18.x.x	✓	✓
Go	1.x	Latest	✓	✓
Java	8	19	✓	✓
.NET	6.0.0	7.0.x	✓	✓
PHP	8.1.6	8.2.x	✓	✓
Ruby	3.1.0	3.2.x	✓	✓

Other questions you might have

Where can I find the builder code and image?

• GitHub Source Code: https://github.com/GoogleCloudPlatform/buildpacks/tree/main/stacks/google_22
• Container Registry: https://gcr.io/buildpacks/builder:google-22

What packages are installed onto the builder images

Each builder comes with a build image and a run image.

• Build image packages
• Run image packages

Why is there still 1 fixable CVE in the sample app?

We think it has to do with an outdated dependency, likely the pack CLI. We’ve gotten in touch with the Skaffold team and have requested them to update their images with the newest version of pack. This work is being tracked here GoogleContainerTools/skaffold#8290

Will this break existing apps?

No...not yet! By default, gcr.io/buildpacks/builder points to the latest tag, which in turn points to the v1 tag for our most up-to-date Ubuntu 18 builder.

What's the switchover plan to make google-22 the default builder?

Our plan is as follows:

Announcement

• Announce the new Ubuntu 22 builder google-22 in our OSS repo and our docs (hey, this is it!)
• Update all documents and examples to explicitly show build with google-22 builder wherever possible (in progress)
• Between now and March 6, 2023 June 5, 2023, :latest will point to :v1

Feedback

• Collect feedback from users on the google-22 builder

Switchover

• After March 6, 2023 June 5, 2023 :latest points to :google-22
• :v1 tag will still be available for users who want to build with the older environment

[PieterJanVdb]

The latest tag still appears to be pointing to google-22, anything come up recently that prevents this update?

[jama22]

Good question! We were planning to switch over March 6, but we ran into some hiccups. Its taken a bit longer than we expected to update the PHP buildpacks to support 8.2 We wanted to wait until we had support for all 7 languages before flipping over to latest

We're also pumping the brakes on the switchover because we're worried about the potential for breaking cloud run deploy --source . Trying to create a few more guardrails for those users before making the official cutover. Will try to keep this thread updated with dates

[jama22]

We're attempting to port over as many languages from the v1 builder into google-22. Python 3.8 and 3.9 have been straightforward. Unfortunately for PHP<8.1.6 and Ruby < 3.1.0, they rely on openssl1 and that package is not available in Ubuntu 22. We don't want to be injecting older OpenSSLs into Ubuntu 22, so unfortunately those languages will not be compatible with google-22